We use machine learning technology to do auto-translation. Click "English" on top navigation bar to check Chinese version.
Simplify private network access for solutions using Amazon OpenSearch Service managed VPC endpoints
To meet the needs of customers who want simplicity in their network setup with the Amazon OpenSearch Service, you can now use Amazon OpenSearch Service-managed virtual private cloud (
The feature is built using Amazon Web Services PrivateLink. Amazon Web Services PrivateLink provides private connectivity between VPCs, supported Amazon Web Services services, and your on-premises networks without exposing your traffic to the public internet. It provides you with the means to connect multiple application deployments effortlessly to your Amazon OpenSearch Service domains.
This post introduces Amazon OpenSearch Service-managed VPC endpoints that build on top of Amazon Web Services PrivateLink and shows how you can access a private Amazon OpenSearch Service from one or more VPCs hosted in the same account, or even VPCs hosted in other Amazon Web Services accounts using Amazon Web Services PrivateLink managed by Amazon OpenSearch Service.
Amazon OpenSearch Service managed VPC endpoints
Before the launch of Amazon OpenSearch Service managed VPC endpoints, if you needed to gain access to your domain outside of your VPC, you had three options:
- Use VPC peering to connect your VPC with other VPCs
- Use Amazon Web Services Transit Gateway to connect your VPC with other VPCs
- Create your own implementation of an Amazon Web Services PrivateLink setup
The first two options require you to setup your VPCs so that the Classless Inter-Domain Routing (CIDR) block ranges don’t overlap. If they did, then your options are more complicated. The third option,
With Amazon OpenSearch Service managed VPC endpoints (i.e., powered by Amazon Web Services PrivateLink), these complex setups and processes are no longer needed!
You can access your Amazon OpenSearch Service private domain as if it were deployed in all the VPCs that you want to connect to your domain. If you need private connectivity from your on-premises hybrid deployments, then Amazon Web Services PrivateLink helps you bring access from your Amazon OpenSearch Service domain to your
By using Amazon Web Services PrivateLink with Amazon OpenSearch Service, you can realize the following benefits:
- You simplify your network architecture between hybrid, multi-VPC, and multi account solutions
- You address a multitude of compliance concerns by better controlling the traffic that moves between your solutions and Amazon OpenSearch Service domains
Shared search cluster for multiple development teams
Imagine that your company hosts a service as a software (SaaS) application that provides a search application programming interface (API) for the healthcare industry. Each team works on a different function of the API. The development teams API team 1 and API team 2 are in two different Amazon Web Services accounts and each has their own VPCs within these accounts. Another team ( data refinement team ) works on the ingestion and data refinement to populate the Amazon OpenSearch Service domain hosted in the same account as API team 2 but in different VPC. Each team shares the domain during the development cycles to save costs and foster collaboration on the data modeling.
Solution overview
Self-managed Amazon Web Services PrivateLink architecture to connect different VPCs
In this scenario prior to Amazon OpenSearch Service manage VPC endpoints (i.e., powered by Amazon Web Services PrivateLink), you would have to create the following items:
- Deploy an NLB in your VPC
- Create a target group that points to the IP addresses of the Elastic Network Interfaces (ENIs), which the Amazon OpenSearch Service creates in your VPC and is used to launch the Amazon OpenSearch Service
- Create an Amazon Web Services PrivateLink deployment and reference your newly created NLB
When you implement the NLB,
Typically, customers use
With the new simplified networking architecture, your teams go through the following steps.
OpenSearch Service managed VPC endpoints architecture (powered by Amazon Web Services PrivateLink)
Since the Amazon OpenSearch Service takes care of the infrastructure described previously — but not necessarily on the same implementation — all you really need to concern yourself with is creating the connections using the
Once you complete the steps in the instructions and remove your own implementation, your architecture is then simplified as seen in the following diagram.
At this point, the development teams ( API team 1 and API team 2 ) can access the Amazon OpenSearch cluster via Amazon OpenSearch Service Managed VPC Endpoint. This option is highly scalable with a simplified network architecture in which you don’t have to worry about managing a NLB, or setting up target groups and the additional resources. If the number of development teams and VPCs grow in the future, you associate the domain with the associated interface VPC endpoint. You can access services in VPCs in same or different accounts, even if there are overlapping CIDR Block IP ranges.
Conclusion
In this post, we walked through the architectural design of accessing Amazon OpenSearch cluster from different VPCs across different accounts using OpenSearch Service-managed VPC endpoint (Amazon Web Services PrivateLink). Using Transit Gateway, self-managed Amazon Web Services PrivateLink or VPC peering required complex networking strategies that increased operation burden. With the introduction of VPC endpoints for Amazon OpenSearch Service, the complexity of your solutions is greatly simplified and what’s even better, it’s managed for you!
About the authors
The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.